W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

Re: Moving forward on improving HTTP's security

From: Michael Sweet <msweet@apple.com>
Date: Wed, 13 Nov 2013 08:21:17 -0500
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-id: <95810922-87BB-4555-B1AD-350C8BA78741@apple.com>
To: Mark Nottingham <mnot@mnot.net>
Mark,

On Nov 13, 2013, at 5:01 AM, Mark Nottingham <mnot@mnot.net> wrote:
> ...

> To be clear - we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption. However, for the common case -- browsing the open Web -- you'll need to use https:// URIs and if you want to use the newest version of HTTP.

For the record, I strongly believe that support for unencrypted HTTP/2.0 is still needed and useful, particularly when you are routing it over an already “secure" channel to a resource-constrained device.  And there will likely be practical real-life limitations of what browser vendors choose to implement, i.e., no HTTP/2.0 support for http:// URIs.  However,  I honestly don’t see how this WG can actually enforce/mandate https:// and still allow http:// URIs.  So long as unencrypted URIs are supported by HTTP/2.0, the best you can do is make security recommendations since TLS is not REQUIRED (in the RFC 2119 sense) for the open web.

I also believe that HTTP/1.x has been so successful because of its ease (and freedom) of implementation. But IMHO restricting its use to https:// will only limit its use/deployment to sites/providers that can afford to deploy it and prevent HTTP/2.0 from replacing HTTP/1.1 in the long run.

_______________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
Received on Wednesday, 13 November 2013 13:22:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC